Fireware Services Expiration
Fireware subscription services need regular updates to operate effectively. The subscription services are:
- Gateway AntiVirus
- Intrusion Prevention Service
- Reputation Enabled Defense
- Application Control
- Data Loss Prevention
- APT Blocker
- Botnet Detection
- Network Discovery
- Threat Detection and Response
In addition, an initial subscription to support services is activated when you register your product. The support service subscription is identified in the feature key by the old name for WatchGuard support, LiveSecurity Service. Your support subscription gives you access to technical support, software updates, and feature enhancements. It also extends the hardware warranty of your WatchGuard device and provides advance hardware replacement.
We recommend that you renew your subscription services before they expire.
A subscription expires at 12:00 AM on the day after the specified expiry date. For example, if your expiry date is 04/07/2020, the feature expires and stops working at 12:00 AM on 04/08/2020.
Subscription Renewal Reminders
The Firebox sends you reminders to renew your subscriptions. When you save a configuration to your Firebox, Policy Manager warns you if a subscription will expire. These warnings appear 60 days before, 30 days before, 15 days before, and one day before the expiration date.
You can also use Firebox System Manager to monitor your subscription services. If a subscription service is about to expire or is expired, a warning appears on the front panel of Firebox System Manager and Renew Now appears at the upper-right corner of the window. Click Renew Now to go to the WatchGuard website to renew the subscription.
In Fireware Web UI, you can see the subscription service expiration dates in the License Information section of the System page.You can also configure the Firebox to send you an alert when a subscription is about to expire. For more information, see Enable Feature Key Synchronization and Alarm Notification.
To learn more about how to renew security service subscriptions, see Renew Subscription Services.
Feature Key Compliance
When you save a configuration to the device from Policy Manager (File > Save > To Firebox), Policy Manager checks to see if any configured services are expired. You cannot save any configuration changes from Policy Manager to the Firebox when a configured subscription service is expired. If you try to save a configuration to the device, the Feature Key Compliance dialog box appears, with a list of all configured services that are expired. You must either add a feature key with a later expiration date for the expired services, or you must select each service and click Disable to disable the service. After you disable the expired services, Policy Manager saves the updated configuration to the device.
If the Support subscription on your device is expired, you can save configuration changes to the device, but you cannot upgrade or reinstall any version of Fireware OS on the device.
Security Service Expiration Behavior
When a subscription service expires, that service does not operate, and the configuration options are disabled. The specific expiration behaviors for each subscription service are described below.
When the Gateway AntiVirus subscription expires:
- Gateway AntiVirus signature updates stop immediately.
- Gateway AntiVirus stops detecting and blocking viruses immediately. If the device attempts a Gateway AntiVirus scan when Gateway AntiVirus is enabled but expired, the device takes the same action as when a scan error occurs, as configured in the AntiVirus proxy action settings. A scan error is also sent to the log file.
- Gateway AntiVirus configuration options are disabled in Policy Manager, except for the ability to disable Gateway AntiVirus for a policy that has it enabled.
- Gateway AntiVirus configuration options are disabled in Fireware Web UI.
- IntelligentAV stops scanning files, even if IntelligentAV is enabled and has a valid feature key.
When the IntelligentAV subscription expires:
- IntelligentAV updates stop immediately.
- IntelligentAV stops scanning files immediately.
- IntelligentAV configuration options are disabled in Policy Manager.
- IntelligentAV configuration options are disabled in Fireware Web UI.
Intrusion Prevention Service (IPS)
When the IPS subscription expires:
- IPS signature updates stop immediately.
- IPS stops detecting and blocking intrusions immediately.
- For Fireware v11.0–v11.3.x, if the device attempts an IPS scan when IPS is enabled but expired, the device allows the content and sends a scan error to the log file.
- For Fireware v11.4 and higher, IPS configuration options are disabled in Policy Manager
- For Fireware v11.0–v11.3.x, IPS configuration options are disabled in Policy Manager, except for the ability to disable IPS for a policy that has it enabled.
- IPS configuration options are disabled in Fireware Web UI.
When the WebBlocker subscription expires:
- Updates to the WebBlocker Server stop immediately.
- WebBlocker stops scanning web content immediately.
- The License Bypass setting in the WebBlocker configuration controls whether policies that have WebBlocker enabled allow or deny access to all websites when WebBlocker is expired. By default, policies that have WebBlocker enabled deny access to all websites when the WebBlocker service is expired.
If your WebBlocker subscription expires, and you did not change the default License Bypass setting before the service expired, WebBlocker denies access to all websites. You cannot change the License Bypass setting after the service has expired. If your service is expired and WebBlocker denies access to all websites, you must either disable WebBlocker for each policy that had it enabled, or renew the WebBlocker service and import an updated feature key.
- WebBlocker configuration options are disabled in Policy Manager, except for the ability to disable WebBlocker for a policy that has it enabled.
- WebBlocker configuration options are disabled in Fireware Web UI.
When the spamBlocker subscription expires:
- spamBlocker stops blocking spam immediately.
- spamBlocker configuration options are disabled in Policy Manager, except for the ability to disable spamBlocker for a policy that has it enabled.
- spamBlocker configuration options are disabled in Fireware Web UI.
Reputation Enabled Defense
When the Reputation Enabled Defense subscription expires:
- Reputation Enabled Defense stops checking reputation immediately.
- Reputation Enabled Defense configuration options are disabled in Policy Manager, except for the ability to disable Reputation Enabled Defense for a policy that has it enabled.
- Reputation Enabled Defense configuration options are disabled in Fireware Web UI.
When the Application Control subscription expires:
- Application Control signature updates stop immediately.
- Application Control stops identifying and blocking applications immediately.
- Application Control configuration options are disabled in Policy Manager.
- Application Control configuration options are disabled in Fireware Web UI.
Data Loss Prevention (DLP)
When the DLP subscription expires:
- DLP signature updates stop immediately.
- DLP stops identifying DLP violations immediately.
- DLP configuration options are disabled in Policy Manager.
- DLP configuration options are disabled in Fireware Web UI.
When the APT Blocker subscription expires:
- APT Blocker stops detecting and blocking APT malware immediately.
- APT Blocker configuration options are disabled in Policy Manager.
- APT Blocker configuration options are disabled in Fireware Web UI.
Botnet Detection is part of the Reputation Enabled Defense (RED) subscription. When the RED subscription expires:
- Botnet Detection no longer receives Botnet Detection site list updates from RED.
- Botnet Detection configuration options are disabled in Policy Manager.
- Botnet Detection configuration options are disabled in Fireware Web UI.
When the Network Discovery subscription expires:
- Network Discovery features are removed from Fireware Web UI.
Threat Detection and Response (TDR)
Threat Detection and Response includes a license in the feature key on the Firebox, and licenses for Host Sensors that you install on endpoints. Threat Detection and Response checks for Host Sensor license expiration at midnight daily.
When the Firebox TDR license expires:
- The Firebox does not send network events to your Threat Detection and Response account.
When the Host Sensor license expires:
- The Host Sensors that were installed first expire first.
- The Install State for an expired Host Sensor is Expired.
- Expired Host Sensors cannot take action on an endpoint.
- Expired Host Sensors continue to report threats for a 7 day grace period after the license expiration date.
- Expired Host Sensors are automatically uninstalled at the end of the 7 day grace period.
If your TDR account does not have an unexpired Host Sensor license, you cannot download a new Host Sensor or select the Install Sensor action.
When you add Host Sensor licenses to your account, the new licenses automatically apply to installed Host Sensors.
When the DNSWatch subscription expires:
- The Firebox uses the existing DNS settings in the Firebox network configuration
- If DNSWatch is expired and no DNS servers are configured on the Firebox:
- To avoid a DNS outage, the Firebox continues to use DNSWatch for DNS queries only.
- No alerts or configuration options are applied
- The Firebox generates a log message to alert you that no DNS servers are configured
Subscription Expiration and FireCluster
These requirements and behaviors are the same for an active/active or an active/passive FireCluster.
- A Support Service subscription applies to a single device, even when that device is configured as a member of a cluster. You must have an active Support subscription for each device in the cluster. If the Support subscription expires for a cluster member, you cannot upgrade the Fireware OS on that device.
- If a subscription service is active (not expired) on at least one member of a FireCluster, you can configure the feature in Policy Manager and you can save configuration changes to the FireCluster.
- If a subscription service is expired on one member of a cluster, the combined feature key, on the Cluster Features tab (in Policy Manager > Setup > Feature Key), shows the service is expired.
The requirements for subscription service licensing and the service expiration behavior are different for an active/passive cluster than they are for an active/active cluster. These differences apply to all subscription services except Support.
- The active cluster member uses the configured subscription services that are active in the feature key of either cluster member.
- If a subscription service does not exist or is expired for both cluster members, the service is not active for the active cluster member. The service expiration behavior is the same as when the subscription service is expired for a single device.
- You must enable the same service subscriptions in the feature key for both devices. Each cluster member uses the configured subscription service only if the subscription is active (not expired) in its own feature key.
- If a subscription service expires on one member of an active/active cluster, the service does not function for that member only. For example, if a WebBlocker subscription expires on one member of an active/active cluster, both devices continue to handle web traffic, but the web requests handled by the cluster member that has an expired WebBlocker service are not filtered by WebBlocker.
For an active/active cluster it is very important to renew subscription services for both cluster members for your subscription services to remain effective.
When the Support subscription expires:
- You cannot upgrade or reinstall Fireware OS on your device, even if it is a Fireware OS version that was released before the Support expiration date.
- WatchGuard does not provide telephone and web-based support, software updates and enhancements, or hardware replacement (RMA).
- Dimension will not accept log messages for the device
- All other functionality, including VPN features, Traffic Monitor and Log Server logging, and management functions, continue to operate.
- You can manage your device and save configuration changes to your device from Policy Manager or the Web UI.
- You can save a backup image of your configuration from Policy Manager or the Web UI.
Synchronize Subscription Renewals
If you have many subscriptions with different expiration dates, your WatchGuard reseller can create a custom renewal quote that synchronizes the renewal dates for multiple subscription services. Contact WatchGuard or your WatchGuard reseller for details.
XCS Services Expiration
The WatchGuard XCS device sends notification messages to the administrator at 90, 60, 30, 7, 2, and 1 days before a feature key expires. To make sure your XCS device operates with full functionality, update your feature key before the expiration date.
When a WatchGuard XCS device feature key expires, the device continues to process and deliver mail, but expired features do not scan or perform actions on messages. Also, you do not receive software and Anti-Spam updates from Security Connection.
For example, if the Anti-Virus scanning feature key expires, the XCS device continues to process mail, but the messages are not scanned for viruses.